Exposing an Indian Police Spyware Cyber Operation that Fabricated Evidence on the PCs 
of Indian Activists - An OSINT Enrichment Analysis 


From: Jennifer Gonzales <jennifergonzales789@gmail.com> 
Date: Sat, 26 Oct, 2019, 15:38 

Subject: Reminder Summons For Rioting Case 

To: < > 


Jennifer Gonzales 
Special Public Prosecutor, Jagdalpur 


Guess which are the major loCs (Indicators of Compromise) in this cyber attack campaign 
featured on Wired.com? Keep reading this OSINT enrichment analysis and find out the actual 
true Indicators of Compromise. 


Sample Gmail accounts known to have been involved in the campaign include: 
jagdish.meshraam@gmail.com 

drsnehapatil64@gmail.com 

sinhamuskaan04@gmail.com 

jennifergonzales789@gmail.com 

payalshastri79@gmail.com 


Sample malicious domains known to have been involved in the campaign: 
researchplanet.zapto.org 

socialstatistics.zapto.org 

duniaenewsportal.ddns.net 


Sample domain registrant email address accounts known to have been involved in the 
campaign include: 

harpreet.singh1984@yahoo.com 

marlenecharlton@outlook.com 

abadaba@eml.cc 

REUBEN123@RISEUP.NET 


Related malicious domains known to have been involved in the campaign include: 


hxxp://greenpeacesite.com 


hxxp://new-agency.us 
hxxp://chivalkarstone.com 
hxxp://newmms.ru 
hxxp://gayakwaad.com 
hxxp://bbcworld-news.net 
hxxp://newsinbbc.com 


Sample responding IPs for known malicious domains known to have been involved in the 
campaign: 


208.48.81.179 
36.86.63.182 
64.15.205.100 
64.15.205.101 
198.105.254.111 
167.160.46.164 
208.48.81.134 
209.99.40.223 
185.205.210.23 
5.1.82.106 
69.195.129.70 
69.195.129.72 
104.239.213.7 
146.112.61.106 
52.4.209.250 
141.8.224.134 
216.120.146.200 
141.8.224.126 
192.154.103.67 
34.246.254.156 
72.52.179.174 
199.59.242.153 
199.59.243.220 
199.59.240.200 
75.2.122.238 
217.26.70.230 
192.64.147.152 
103.254.155.203 
208.73.211.250 
8.5.1.33 
91.217.90.201 
166.78.106.200 


98.124.245.24 
146.148.34.125 
8.5.1.49 
54.210.47.225 
109.236.90.147 
199.191.50.21 
199.59.243.200 
185.82.202.155 
185.117.66.188 
185.117.74.47 
185.117.74.28 
185.45.193.14 


Sample malicious MD5s known to have been involved in the campaign include: 


619¢707672fc36279f7983f9538 7ed5fdcaff56c58620b23e6dc4 7dd200add9b7 
7533597d2ed0a0e2b981ae1b0d79a37d5343fe790bc311 6e036b9b8f3d6b3fes 
22d72a14a1c9837d1c57b9393e88dee4cf2 1a98eb446008393ac04afa3edc712 
5d28df67b12a990af0300120747c8606604c22c6959d3 1c87 06ff8040175414a 
18f9e34af2 1f5b5186e4c6367b86d268fcf0ec4 1 e087 9d06bbb9d0ef5c4dc3a2 
Adbb14ff2836733b34594956c4234d2a54c04257710dd31a0884b1926d35d7bc 
e179f03dd608b090bec933fa62d371 4b6deda6c1629eec6bf82f2df55aa22307 
e6da11 2f819a7f50608b1f6a1 6f1dd6c08c906cd060244cbb1e5b0eb9ab5e75b5 
828de55ffbfb1c1 b6ficbb56b838486dbaecc9b4 1a0d 111fcca29097 8ed05e95 
76970287697bb7601970bcd5d5cfa60e1c6558b6004650 1b885d203eda9c9b44 
99131b4fdedbf01721eed38ad685a305140feb/3a6d0fb8cc48f1fad3143be92 
221dde812ab1c734cd308da2ed8ead6033c6772864d38331 7fa2526a58e803ae 
f6b4f5f05907 caf6eaf58 109500 144d69a7 981 77f6ac3cb32648fadb304192c 
5ede813e52c325fec54d1d8cb9e6b63 11 8f64fce0585c1da4263cbf4a00e1651 
Afbb41 eefb0e8a9941 7c855038bd7c89cc3190c07e0d4b41 06d8ddbcf2634774 
94fa3ff2ef1 4aeOfcd46 1 c89f90deae5ed641 7a238ec5131ef6cb80400de0586 
261f13f9e6d08869b4 1dca972016f1 77e1 cefada9 155d806a18f590c3f48 7abf 
ca2f1df3639a5b5896d98aa70eb68507 abil ceaGaba8fe054671cdd07 11faf9e 
095ec879f323a0a3eceb97013125880d49ac701 eef568e3b01 Ofdddb133394 1f 
11cef331557eb693e7 18d27b6a7211a98d398211 7a03ec1491db8098ea3cec00 
16b5c74fb55f52ae0ae4 328f65b2bf3bbe3e5ee34268c1d32a247a0a1dfa3186 
21d24e08889f75461a7ce6f21fc612a701bca35da1a21 8cf3cdd6e23f613bb4d 
31a3e3aba03b553d0f23f1 0bO06ade30ae053cd667a8cc9660f310705ee47 1b68 
5a4aca5754 1954 195953066a4be96dfb1 97 76ba099d7 2f8f1d3677581594606e 
88b92d985b/7d616c93c391 731c1e4a6d3c8323fdcbf3 1 cic4d340e27253913a7 
ac4d5d938009fd44b2f7587986862ab2278887a17d32f748278445b625b3efd9 
b09ca9d48a0455ed5e02a56aabeb397c4 1fb633202447 19749e0741da72e79c4 
b1b6e133aa320669c7 7 2ec7eb5fd6fbe4cb3edca1 3ad5351f14df3c1f13939d09 


de302a6 1e5f07b0e65753355d44d22181a2742ac3a92aa058bdcd00cc4dab788 
e3dea449bf74434ee1c9cdc04ca68b8f3c9bac357768e07df303433f257d3b9a 
ea5f37e1feab670171963aa83b235c772202b2d4bb7289dd45302c385 1 dbd6f9 


We'll continue monitoring the campaign and post updates as soon as new developments take 
place. 


